1.2 Resource Provisioning and Configuration
Key Takeaways
- Azure AI resources can be provisioned using the Azure portal, Azure CLI, Azure PowerShell, ARM templates, Bicep templates, or Terraform.
- Every Azure AI resource has an endpoint URL and authentication keys (or Entra ID credentials) for API access.
- Pricing tiers (Free F0 and Standard S0) determine throughput limits, available features, and SLA guarantees.
- Regional availability varies by service — not all AI services are available in every Azure region.
- Resource naming, tagging, and organization within resource groups and subscriptions are essential for production management.
Resource Provisioning and Configuration
Quick Answer: Azure AI resources are provisioned through the Azure portal, CLI, PowerShell, or infrastructure-as-code (ARM/Bicep). Each resource has an endpoint URL and authentication credentials. Choose between Free (F0) and Standard (S0) tiers based on throughput needs and SLA requirements.
Provisioning Methods
Azure Portal (GUI)
- Navigate to Create a resource → AI + Machine Learning
- Select the desired AI service (e.g., "Azure AI services" for multi-service)
- Configure: Subscription, Resource Group, Region, Name, Pricing Tier
- Review and Create
Azure CLI
# Create a resource group
az group create --name rg-ai-prod --location eastus
# Create a multi-service Azure AI resource
az cognitiveservices account create \
--name my-ai-services \
--resource-group rg-ai-prod \
--kind CognitiveServices \
--sku S0 \
--location eastus \
--yes
# Create a single-service Vision resource
az cognitiveservices account create \
--name my-vision-service \
--resource-group rg-ai-prod \
--kind ComputerVision \
--sku S1 \
--location eastus \
--yes
# Get the endpoint and keys
az cognitiveservices account show \
--name my-ai-services \
--resource-group rg-ai-prod \
--query "properties.endpoint"
az cognitiveservices account keys list \
--name my-ai-services \
--resource-group rg-ai-prod
ARM Template (Infrastructure as Code)
{
"type": "Microsoft.CognitiveServices/accounts",
"apiVersion": "2023-05-01",
"name": "my-ai-services",
"location": "eastus",
"kind": "CognitiveServices",
"sku": {
"name": "S0"
},
"properties": {
"publicNetworkAccess": "Enabled",
"customSubDomainName": "my-ai-services"
}
}
Bicep Template
resource aiServices 'Microsoft.CognitiveServices/accounts@2023-05-01' = {
name: 'my-ai-services'
location: 'eastus'
kind: 'CognitiveServices'
sku: {
name: 'S0'
}
properties: {
publicNetworkAccess: 'Enabled'
customSubDomainName: 'my-ai-services'
}
}
Pricing Tiers
| Tier | Name | Use Case | SLA | Rate Limiting |
|---|---|---|---|---|
| Free | F0 | Development and testing | None | Low (e.g., 20 calls/minute) |
| Standard | S0 | Production workloads | 99.9% | Higher (e.g., 1,000 calls/minute) |
| Premium | S1+ | High-throughput production | 99.9%+ | Highest (varies by service) |
On the Exam: Free tier (F0) is sufficient for development but has no SLA and strict rate limits. Production scenarios always require Standard (S0) or higher. Questions may test whether you know which tier provides an SLA.
Endpoint and Authentication
Every Azure AI service resource exposes:
| Component | Description | Example |
|---|---|---|
| Endpoint | Base URL for API calls | https://my-ai-services.cognitiveservices.azure.com/ |
| Key 1 | Primary authentication key | a1b2c3d4e5f6... |
| Key 2 | Secondary key (for key rotation) | g7h8i9j0k1l2... |
| Resource ID | Azure resource identifier | /subscriptions/.../Microsoft.CognitiveServices/accounts/my-ai-services |
Using Keys in API Calls
import os
from azure.ai.vision.imageanalysis import ImageAnalysisClient
from azure.core.credentials import AzureKeyCredential
endpoint = os.environ["VISION_ENDPOINT"]
key = os.environ["VISION_KEY"]
client = ImageAnalysisClient(
endpoint=endpoint,
credential=AzureKeyCredential(key)
)
Using Entra ID (Preferred for Production)
from azure.identity import DefaultAzureCredential
from azure.ai.vision.imageanalysis import ImageAnalysisClient
endpoint = os.environ["VISION_ENDPOINT"]
credential = DefaultAzureCredential()
client = ImageAnalysisClient(
endpoint=endpoint,
credential=credential
)
Key Rotation Strategy
Azure provides two keys per resource to enable zero-downtime key rotation:
- Applications use Key 1 for authentication
- Regenerate Key 2 (applications unaffected — still using Key 1)
- Update applications to use Key 2
- Regenerate Key 1 (applications unaffected — now using Key 2)
- Update applications back to Key 1 (or continue using Key 2)
On the Exam: Questions about key rotation test whether you understand that two keys exist specifically to enable rotation without downtime. The correct sequence involves switching applications to the secondary key before regenerating the primary key.
Regional Availability Considerations
Not all Azure AI services are available in every region. Key factors:
- Data residency: Choose a region that meets compliance requirements (e.g., EU data must stay in EU regions)
- Service availability: Azure OpenAI Service is only available in select regions (East US, West Europe, etc.)
- Latency: Choose the region closest to your users for lowest latency
- Paired regions: Consider disaster recovery with Azure region pairs
Which Azure CLI parameter specifies the type of AI service to create?
Why does each Azure AI resource have two authentication keys?
Which pricing tier provides an SLA for Azure AI services?